Report: Feds demand major internet companies turn over user passwords

3 years ago

(Jonathon M. Seidl) The federal government has demanded that major internet companies turn over users’ stored passwords, two sources told the respected tech website CNet.

So what exactly does this “escalation” — as CNet calls it — mean?

“If the government is able to determine a person’s password, which is typically stored in encrypted form, the credential could be used to log in to an account to peruse confidential correspondence or even impersonate the user,” the report says. “Obtaining it also would aid in deciphering encrypted devices in situations where passwords are reused.”

But it doesn’t end there. The government is not only requesting the passwords, but its also asking for algorithms and even security questions:

Some of the government orders demand not only a user’s password but also the encryption algorithm and the so-called salt, according to a person familiar with the requests. A salt is a random string of letters or numbers used to make it more difficult to reverse the encryption process and determine the original password. Other orders demand the secret question codes often associated with user accounts.

According to the report’s sources, the government has requested password information on numerous occasions. Still, both sources said the companies fight them.

“We push back,” one said.

“There’s a lot of ‘over my dead body,’” said another.

Most of the big internet companies — Microsoft, Google, and Yahoo — declined to comment or give any specific information regarding the allegations, but Yahoo did say, “”If we receive a request from law enforcement for a user’s password, we deny such requests on the grounds that they would allow overly broad access to our users’ private information. If we are required to provide information, we do so only in the strictest interpretation of what is required by law.”